David Kennedy is a security researcher and the author of a very powerful vulnerability-testing tool called Fast-track. You can find out more about this tool and how it works at David's website, www.thepentest.com.. One of the really interesting aspects of this tool is the method he has developed for "sneaking" malicious data past firewalls.

Briefly, the technique used is to convert (malicious) binary code to raw hex code, which is then echoed to a text document on the computer being attacked. Windows Debug can then be used to convert the hex code back into an executable file ON THE TARGET. It is not likely that any firewall or UTM would ever be able to identify these bytes of hex as a threat as they trickle through. There is normally a 64 kilobyte limit on the size of files that debug can re-assemble from hex into binary, but this limitation can be overcome by loading a "hacked" version of Debug (one that does not have the 64k limitation) first. This is possible because the hacked version of Debug is less than 64k. Very Slick! This is a simple, elegant, and utterly beautiful way to slip a malicious payload past virtually protective device.

This is a perfect example of why no firewall or UTM can ever provide complete protection from malicious code. Are we doomed? Hopefully not. The payload being delivered still depends upon some sort of vulnerability at the application layer to break things. This highlights the importance of application and operating system patching. Vulnerabilities in software are a fact of life. Within the foreseeable future, there will be no perfect software. As vulnerabilities are discovered, software vendors provide patches. The best (in the long run, the only) defense against application attacks is to keep everything up to date and patched. This won't protect you from newly discovered (aka zero-day) threats which have not yet been patched, but the vast majority of attacks are against vulnerabilities that have been documented and for which there ARE patches. The "bad guys" rely on the fact that most applications, and even most operating systems, have not been patched.

Operating systems will typically download and install security updates automatically unless configured not to. If your environment is configured to not auto-update (as in a business network), it is CRITICAL to monitor security updates, test them as necessary, and install them as soon as possible. The greatest vulnerabilities in most business networks are missing security patches.

Applications often do not auto-update. Secunia provides a personal software scanner and an online software scanner (both free), as well as a corporate software scanner, that provide an excellent way to detect and correct missing security updates in applications. Consider including periodic scanning with these products in your NerdCare plan.

In the next few articles, we will discuss various types of application level attacks in more detail.

Dennis H in West Virginia, US

February 20, 2009